Delegate Print Server Printer Permissions with PowerShell

Inside my mind there is a digital mind

The company I work for has about 100 remote locations, each having its own local server. These local servers act as a print server for that particular remote site. The help desk here needs the ability to manage these printers, and more specifically, have the ability to view and change the port configuration associated with each printer in the event one needs to be re-directed. Normally this would require admin rights to the server, unless you manually go to the security tab of each printer and add the group you want and assign it permissions. Obviously, this is very time consuming and inefficient. So, let’s do it the smart way: with PowerShell. (And side-note: this even works against a Server 2008 32bit print server if you’re running it from a workstation with Windows 10.)

Step 1: Manually configure a single printer with the permissions you want.

Step 2: Query that security configuration with powershell like so

Get-Printer -ComputerName -Name -Full | Where devicetype -EQ "Print" | Select PermissionSDDL

This command will spit out an ugly looking string of characters that won’t make much sense to you. With this string though, we can apply the same security settings you manually applied to any other printer. Mine looked like this

“G:SYD:(A;;SWRC;;;WD)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;;LCSWSDRCWDWO;;;BA)(A;OIIO;RPWPSDRCWDWO;;;BA)(A;;LCSWSDRCWDWO;;;PO)(A;OIIO;RPWPSDRCWDWO;;;PO)”

So now, in order to apply those security settings to a different printer, run the following (obviously substitute your own information)

Set-Printer -ComputerName -Name -PermissionSDDL "G:SYD:(A…"

“But Vince! This will still take forever!” Yeah, I know. Did I say I was finished? Let’s make it better. For starters, let’s do all the printers on a single server at once:

$printers = get-printer -ComputerName | where name -NE "Microsoft XPS Document Writer" | where devicetype -EQ "Print"
$printers | Set-Printer -ComputerName -PermissionSDDL "G:SYD:(A…"

Now, if you really want to get things moving, why not do all the printers for all the servers at once? You’ll obviously need some intelligent way to identify what servers are print server to do this, whether that’s by OU or naming convention. And I’m not saying this is the only way to do this. This is simply what worked for me. You can see I’m filtering computers by name, OU, and whether or not they are enabled. I’m also doing a ping test before attempting to run any commands against the server, and have a progress bar.

$servers = Get-ADComputer -filter {name -like "print"} -SearchBase "ou=servers,dc=domain,dc=com" | where enabled -EQ $true | Sort-Object name
$i = 0

ForEach($server in $servers){
    $servername = $server.name
    $i++
    Write-Progress -Activity "Setting permissions for printers on $servername" -PercentComplete (($i / $servers.count)*100)
    If(Test-Connection -ComputerName $servername -BufferSize 16 -Count 1 -ErrorAction SilentlyContinue){
        $printers = Get-Printer -ComputerName $servername | where name -NE "Microsoft XPS Document Writer" | where devicetype -EQ "Print"
        If($printers -ne $null){$printers | Set-Printer -ComputerName $servername -PermissionSDDL "G:SYD:(A;;SWRC;;;WD)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;;LCSWSDRCWDWO;;;BA)(A;OIIO;RPWPSDRCWDWO;;;BA)(A;;LCSWSDRCWDWO;;;PO)(A;OIIO;RPWPSDRCWDWO;;;PO)" -ErrorAction SilentlyContinue}
    }
}

Leave a Reply

Your email address will not be published. Required fields are marked *